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Abstract 

Self-stabilization is a versatile approach to fault-tolerance since it permits a distributed system to 
recover from any transient fault that arbitrarily corrupts the contents of all memories in the system. 
Byzantine tolerance is an attractive feature of distributed systems that permits to cope with arbitrary 
malicious behaviors. Combining these two properties proved difficult: it is impossible to contain the 

r^ • spatial impact of Byzantine nodes in a self-stabilizing context for global tasks such as tree orientation 

,-5^ ' and tree construction. 

We present and illustrate a new concept of Byzantine containment in stabilization. Our property, 
called Strong StabilizaUon enables to contain the impact of Byzantine nodes if they actually perform 
too many Byzantine actions. We derive impossibility results for strong stabilization and present strongly 
stabilizing protocols for tree orientation and tree construction that are optimal with respect to the number 

^ N. of Byzantine nodes that can be tolerated in a self-stabilizing context. 

(—J ' Keywords Byzantine fault, Distributed algorithm. Fault tolerance. Stabilization, Spanning tree construc- 

t/3 , tion 

^ ! 1 Introduction 

>, 

t^^ , The advent of ubiquitous large-scale distributed systems advocates that tolerance to various kinds of faults 

>0 ' and hazards must be included from the very early design of such systems. Self- stabilization [4j |6l I15| is a 

versatile technique that permits forward recovery from any kind of transient faults, while Byzantine Fault- 
tolerance jlO] is traditionally used to mask the effect of a limited number of malicious faults. Making 
|0 I distributed systems tolerant to both transient and malicious faults is appealing yet proved difficult [71 131 US] 

as impossibility results are expected in many cases. 

Two main paths have been followed to study the impact of Byzantine faults in the context of self- 
stabilization: 
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1. Byzantine fault masking. In completely connected synchronous systems, one of the most studied 
problems in the context of self-stabilization with Byzantine faults is that of clock synchronization. In pQ 

C^ ' [7], probabilistic self-stabilizing protocols were proposed for up to one third of Byzantine processors, 

while in [SI 15^ deterministic solutions tolerate up to one fourth and one third of Byzantine processors, 
respectively. 

2. Byzantine containment. For local tasks {i.e. tasks whose correctness can be checked locally, such as 
vertex coloring, link coloring, or dining philosophers), the notion of strict stabilization was proposed |13[ 
I14[ 112) . Strict stabilization guarantees that there exists a containment radius outside which the effect 
of permanent faults is masked. In 13;, the authors show that this Byzantine containment scheme is 
possible only for local tasks. As many problems are not local, it turns out that it is impossible to 
provide strict stabilization for those. 



* A preliminary version of this work appears in the proceedings of the 8th International Symposium on Stabilization, Safety, 
and Security of Distributed Systems (SSS'06), see |lll . 
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Our Contribution In this paper, we investigate the possibihty of Byzantine containment in a self- 
stabilizing setting for tasks that are global {i.e. for with there exists a causality chain of size r, where 
r depends on n the size of the network), and focus on two global problems, namely tree orientation and 
tree construction. As strict stabilization is impossible with such global tasks, we weaken the containment 
constraint by limiting the number of times that correct processes can be disturbed by Byzantine ones. Re- 
call that strict stabilization requires that processes beyond the containment radius eventually achieve their 
desired behavior and are never disturbed by Byzantine processes afterwards. We relax this requirement 
in the following sense: we allow these correct processes beyond the containment radius to be disturbed by 
Byzantine processes, but only a limited number of times, even if Byzantine nodes take an infinite number of 
actions. 

The main contribution of this paper is to present new possibility results for containing the influence of 
unbounded Byzantine behaviors. In more details, we define the notion of strong stabilization as the novel 
form of the containment and introduce disruption times to quantify the quality of the containment. The 
notion of strong stabilization is weaker than the strict stabilization but is stronger than the classical notion 
of self-stabilization (i.e. every strongly stabilizing protocol is self-stabilizing, but not necessarily strictly 
stabilizing). While strict stabilization aims at tolerating an unbounded number of Byzantine processes, we 
explicitly refer the number of Byzantine processes to be tolerated. A self-stabilizing protocol is (i, c, /)- 
strongly stabilizing if the subsystem consisting of processes more than c hops away from any Byzantine 
process is disturbed at most t times in a distributed system with at most / Byzantine processes. Here c 
denotes the containment radius and t denotes the disruption time. 

To demonstrate the possibility and effectiveness of our notion of strong stabilization, we consider tree 
construction and tree orientation. It is shown in |13| that there exists no strictly stabilizing protocol with 
a constant containment radius for these problems. The impossibility result can be extended even when the 
number of Byzantine processes is upper bounded (by one). In this paper, we provide a (/A'^, 0, /)-strongly 
stabilizing protocol for rooted tree construction, provided that correct processes remain connected, where n 
(respectively /) is the number of processes (respectively Byzantine processes) and d is the diameter of the 
subsystem consisting of all correct processes. The containment radius of is obviously optimal. We show 
that the problem of tree orientation has no constant bound for the containment radius in a tree with two 
Byzantine processes even when we allow processes beyond the containment radius to be disturbed a finite 
number of times. Then we consider the case of a single Byzantine process and present a (A,0, l)-strongly 
stabilizing protocol for tree orientation, where A is the maximum degree of processes. The containment 
radius of is also optimal. Notice that each process does not need to know the number / of Byzantine 
processes and that / can be n — 1 at the worst case. In other words, the algorithm is adaptive in the sense 
that the disruption times depend on the actual number of Byzantine processes. Both algorithms are also 
optimal with respect to the number of tolerated Byzantine nodes. 

2 Preliminaries 

2.1 Distributed System 

A distributed system S — (P, L) consists of a set P — {wi, V2, ■ . . ,Vn\ of processes and a set L of bidirectional 
communication links (simply called links). A link is an unordered pair of distinct processes. A distributed 
system S can be regarded as a graph whose vertex set is P and whose link set is L, so we use graph 
terminology to describe a distributed system S. 

Processes u and v are called neighbors if (u, v) G L. The set of neighbors of a process v is denoted by 
Ny, and its cardinality (the degree of v) is denoted by Ai,(= IA^dD- The degree A of a distributed system 
S = {P, L) is defined as A = maxjAu | v £ P}. We do not assume existence of a unique identifier for each 
process (that is, the system is anonymous). Instead we assume each process can distinguish its neighbors 
from each other by locally arranging them in some arbitrary order: the fc-th neighbor of a process v is 
denoted by Ny{k) {l<k< A„). 

Processes can communicate with their neighbors through link registers. For each pair of neighboring 



processes u and v, there are two link registers r^^v and r^,^„. Message transmission from u to u is realized 
as follows: u writes a message to link register r„^„ and then v reads it from r^^v The link register r„^„ is 
called an output register of u and is called an input register of v. The set of all output (respesctively input) 
registers of u is denoted by Outu (respectively /n„), i.e. Outu — {ru,v \ v S 7V„} and /n„ = {r^^u \v £ -/V«}- 

The variables that are maintained by processes denote process states. Similarly, the values of the variables 
stored in each link register denote the state of the registers. A process may take actions during the execution 
of the system. An action is simply a function that is executed in an atomic manner by the process. The actions 
executed by each process is described by a finite set of guarded actions of the form (guard) — > (statement) . 
Each guard of process u is a boolean expression involving the variables of u and its input registers. Each 
statement of process u is an update of its state and its output/input registers. 

A global state of a distributed system is called a configuration and is specified by a product of states of 
all processes and all link registers. We define C to be the set of all possible configurations of a distributed 
system S. For a process set R C P and two configurations p and p' , we denote p ^ p' when p changes to p' 
by executing an action of each process in R simultaneously. Notice that p and p' can be different only in the 
states of processes in R and the states of their output registers. For completeness of execution semantics, 
we should clarify the configuration resulting from simultaneous actions of neighboring processes. The action 
of a process depends only on its state at p and the states of its input registers at p, and the result of the 
action reflects on the states of the process and its output registers at p' . 

A schedule of a distributed system is an infinite sequence of process sets. Let Q = R^,R^,... be a 
schedule, where R^ C P holds for each i {i > 1). An infinite sequence of configurations e = po,pi, ... is 

called an execution from an initial configuration po by a schedule Q, if e satisfies pi-i t-^ pi for each i (i > 1). 
Process actions are executed atomically, and we also assume that a distributed daemon schedules the actions 
of processes, i.e. any subset of processes can simultaneously execute their actions. 

The set of all possible executions from po G C is denoted by Ep^ . The set of all possible executions is 
denoted by E, that is, E = U/jgC^p- ^^ consider asynchronous distributed systems where we can make 
no assumption on schedules except that any schedule is weakly fair: every process is contained in infinite 
number of subsets appearing in any schedule. 

In this paper, we consider (permanent) Byzantine faults: a Byzantine process (i.e. a Byzantine-faulty 
process) can make arbitrary behavior independently from its actions. If w is a Byzantine process, v can 
repeatedly change its variables and its out put registers arbitrarily. 

In asynchronous distributed systems, time is usually measured by asynchronous rounds (simply called 
rounds). Let e = poi Pi, • • • be an execution by a schedule Q ~ R^, R^, . . .. The first round of e is defined 
to be the minimum prefix of e, e' = po,Pi, ■ ■ ■ ,Pki such that IJj^]^ -R* = P' where P' is the set of correct 
processes of P. Round t {t>2) is defined recursively, by applying the above definition of the first round to 
e" = pk, pk+i, ■ ■ ■■ Intuitively, every correct process has a chance to update its state in every round. 

2.2 Self-Stabilizing Protocol Resilient to Byzantine Faults 

Problems considered in this paper are so-called static problems, i.e. they require the system to find static 
solutions. For example, the spanning-tree construction problem is a static problem, while the mutual exclu- 
sion problem is not. Some static problems can be defined by a specification predicate (shortly, specification), 
spec{v), for each process v: a configuration is a desired one (with a solution) if every process satisfies spec{v). 
A specification spec{v) is a boolean expression on variables of P„ (C P) where Py is the set of processes 
whose variables appear in spec{v). The variables appearing in the specification are called output variables 
(shortly, 0-variables). In what follows, we consider a static problem defined by specification spec(v). 

A self- stabilizing protocol is a protocol that eventually reaches a legitimate configuration, where spec{v) 
holds at every process v, regardless of the initial configuration. Once it reaches a legitimate configuration, 
every process v never changes its 0-variables and always satisfies spec(v). From this definition, a self- 
stabilizing protocol is expected to tolerate any number and any type of transient faults since it can eventually 
recover from any configuration affected by the transient faults. However, the recovery from any configuration 



is guaranteed only when every process correctly executes its action from the configuration, i.e., we do not 
consider existence of permanently faulty processes. 

When (permanent) Byzantine processes exist, Byzantine processes may not satisfy spec{v). In addition, 
correct processes near the Byzantine processes can be influenced and may be unable to satisfy spec(v). 
Nesterenko and Arora [13' define a strictly stabilizing protocol as a self-stabilizing protocol resilient to un- 
bounded number of Byzantine processes. 

Given an integer c, a c-correct process is a process defined as follows. 

Definition 1 (c-correct process) A process is c-correct if it is correct (i.e. not Byzantine) and located at 
distance more than c from any Byzantine process. 

Definition 2 ((c, /)-containnient) A configuration p is (c, /)-contained /or specification spec if, given at 
most f Byzantine processes, in any execution starting from p, every c-correct process v always satisfies 
spec{v) and never changes its 0-variables. 

The parameter c of Definition [2] refers to the containment radius defined in [13) . The parameter / refers 
explicitly to the number of Byzantine processes, while |13) dealt with unbounded number of Byzantine faults 
(that is / G {0...n}). 

Definition 3 ((c, /)-strict stabilization) A protocol is (c, /)-strictly stabilizing for specification spec if, 
given at most f Byzantine processes, any execution e — po, pi, . . . contains a configuration pi that is (c, /)- 
contained for spec. 

An important limitation of the model of [13 is the notion of r-restrictive specifications. Intuitively, a 
specification is r-restrictive if it prevents combinations of states that belong to two processes u and v that 
are at least r hops away. An important consequence related to Byzantine tolerance is that the containment 
radius of protocols solving those specifications is at least r. For some problems, such as the spanning tree 
construction we consider in this paper, r can not be bounded to a constant. We can show that there exists 
no (o(n), l)-strictly stabilizing protocol for the spanning tree construction. 

To circumvent the impossibility result, we define a weaker notion than the strict stabilization. Here, the 
requirement to the containment radius is relaxed, i.e. there may exist processes outside the containment 
radius that invalidate the specification predicate, due to Byzantine actions. However, the impact of Byzantine 
triggered action is limited in times: the set of Byzantine processes may only impact the subsystem consisting 
of processes outside the containment radius a bounded number of times, even if Byzantine processes execute 
an infinite number of actions. 

From the states of c-correct processes, c-legitimate configurations and c-stable configurations are defined 
as follows. 

Definition 4 (c-legitimate configuration) A configuration p is c-legitimate for spec if every c-correct 
process v satisfies spec{v). 

Definition 5 (c-stable configuration) A configuration p is c-stable if every c-correct process never changes 
the values of its 0-variables as long as Byzantine processes make no action. 

Roughly speaking, the aim of self-stabilization is to guarantee that a distributed system eventually reaches 
a c-legitimate and c-stable configuration. However, a self-stabilizing system can be disturbed by Byzantine 
processes after reaching a c-legitimate and c-stable configuration. The c-disruption represents the period 
where c-correct processes are disturbed by Byzantine processes and is defined as follows 

Definition 6 (c-disruption) A portion of execution e ^ po, pi, . . . , pt (t > 1) is a c-disruption if and only 
if the following holds: 

1. e is finite, 

2. e contains at least one action of a c-correct process for changing the value of an 0-variable, 



3. po is c-legitimate for spec and c-stahle, and 

4-. pt is the first configuration after po such that pt is c-legitimate for spec and c-stahle. 

Now we can define a self-stabilizing protocol such that Byzantine processes may only impact the subsystem 
consisting of processes outside the containment radius a bounded number of times, even if Byzantine processes 
execute an infinite number of actions. 

Definition 7 ((t, fc,c, /)-time contained configuration) A configuration pa is {t,k,c, f)-time contained 
for spec if given at most f Byzantine processes, the following properties are satisfied: 

1. pq is c-legitimate for spec and c-stahle, 

2. every execution starting from po contains a c-legitimate configuration for spec after which the values 
of all the 0-variables of c-correct processes remain unchanged (even when Byzantine processes make 
actions repeatedly and forever), 

3. every execution starting from po contains at most t c- disruptions, and 

4- every execution starting from po contains at most k actions of changing the values of 0-variables for 
each c-correct process. 

Definition 8 ((t, c, /)-strongly stabilizing protocol) A protocol A is {t,c, f) -strongly stabilizing if and 
only if starting from any arbitrary configuration, every execution involving at most f Byzantine processes 
contains a {t,k,c, f)-time contained configuration that is reached after at most I rounds. Parameters I and 
k are respectively the (t, c, f) -stabilization time and the {t,c, f)-process-disruption time of A. 

Note that a (i, fc,c, /)-time contained configuration is a (c, /)-contained configuration when t = k = 
0, and thus, (t, fc,c, /)-time contained configuration is a generalization (relaxation) of a (c, /)-contained 
configuration. Thus, a strongly stabilizing protocol is weaker than a strictly stabilizing one (as processes 
outside the containment radius may take incorrect actions due to Byzantine influence). However, a strongly 
stabilizing protocol is stronger than a classical self-stabilizing one (that may never meet their speciflcation 
in the presence of Byzantine processes) . 

The parameters t, k and c are introduced to quantify the strength of fault containment, we do not require 
each process to know the values of the parameters. Actually, the protocols proposed in this paper assume 
no knowledge on the parameters. 

There exists some relationship between these parameters as the following proposition states: 

Proposition 1 If a configuration is {t,k,c, f)-time contained for spec, then t < nk. 

Proof Let po be a (i, k, c, /)-time contained configuration for spec. Assume that t > nk. 

If there exists no execution e = pq, pi, . . . such that e contains at least nk -\- 1 c-disruptions, then po is in 
fact a {nk, k, c, /)-time contained configuration for spec (and hence, we have t < nk). This is contradictory. 
So, there exists an execution e — po, pi, . . . such that e contains at least nk -\- 1 c-disruptions. 

As any c-disruption contains at least one action of a c-correct process for changing the value of an O- 
variable by definition, we obtain that e contains at least nk-hl actions of c-correct processes for changing the 
values of 0-variables. There is at most n c-correct processes. So, there exists at least one c-correct process 
which takes at least k + 1 actions for changing the value of 0-variables in e. This is contradictory with the 
fact that Po is a (t, fc, c, /)-time contained configuration for spec. D 



2.3 Discussion 

There exists an analogy between the respective powers of (c, /)-strict stabihzation and (t, c, /)-strong stabi- 
hzation for the one hand, and self-stabihzation and pseudo-stabihzation for the other hand. 

A pseudo- stabilizing protocol (defined in [2J) guarantees that every execution has a suffix that matches 
the specification, but it could never reach a legitimate configuration from which any possible execution 
matches the specification. In other words, a pseudo-stabilizing protocol can continue to behave satisfying 
the specification, but with having possibility of invalidating the specification in future. A particular schedule 
can prevent a pseudo-stabilizing protocol from reaching a legitimate configuration for arbitrarily long time, 
but cannot prevent it from executing its desired behavior (that is, a behavior satisfying the specification) 
for arbitrarily long time. Thus, a pseudo-stabilizing protocol is useful since desired behavior is eventually 
reached. 

Similarly, every execution of a (i, c, /)-strongly stabilizing protocol has a suffix such that every c-correct 
process executes its desired behavior. But, for a (t, c, /)-strongly stabilizing protocol, there may exist ex- 
ecutions such that the system never reach a configuration after which Byzantine processes never have the 
ability to disturb the c-correct processes: all the c-correct processes can continue to execute their desired 
behavior, but with having possibility that the system (resp. each process) could be disturbed at most t 
(resp. k) times by Byzantine processes in future. A notable but subtle difference is that the invalidation of 
the specification is caused only by the effect of Byzantine processes in a (i, c, /)-strongly stabilizing protocol, 
while the invalidation can be caused by a scheduler in a pseudo-stabilizing protocol. 

3 Strongly-Stabilizing Spanning Tree Construction 

3.1 Problem Definition 

In this section, we consider only distributed systems in which a given process r is distinguished as the root 
of the tree. 

For spanning tree construction^ each process v has an O- variable prnty to designate a neighbor as its 
parent. Since processes have no identifiers, prnty actually stores k (g {1, 2, . . . , A^}) to designate its fc-th 
neighbor as its parent. No neighbor is designated as the parent of w when prnty — holds. For simplicity, we 
use prnty = fc (g {1, 2, . . . , A^,}) and prnty = u (where u is the fc-th neighbor of u e Ny{k)) interchangeably, 
and prnty = and prnty — _L interchangeably. 

The goal of spanning tree construction is to set prnty of every process v to form a rooted spanning tree, 
where prnty = should hold for the root process r. 

We consider Byzantine processes that can behave arbitrarily. The faulty processes can behave as if 
they were any internal processes of the spanning tree, or even as if they were the root processes. The first 
restriction we make on Byzantine processes is that we assume the root process r can start from an arbitrary 
state, but behaves correctly according to a protocol. Another restriction on Byzantine processes is that we 
assume that all the correct processes form a connected subsystem; Byzantine processes never partition the 
system. 

It is impossible, for example, to distinguish the (real) root r from the faulty processes behaving as the 
root, we have to allow that a spanning forest (consisting of multiple trees) is constructed, where each tree is 
rooted with a root, correct or faulty one. 

We define the specification predicate spec{v) of the tree construction as follows. 

I (prnty = 0) A (levely = 0) if w is the root r 
spec(v) : < 

I {prnty e {1, . . . , Ay}) A {{levely — levelpmt^ -f 1) V {prnty is Byzantine)) otherwise 

Notice that spec{v) requires that a spanning tree is constructed at any 0-legitimate configuration, when 
no Byzantine process exists. 

Figure [T] shows an example of 0-legitimate configuration with Byzantine processes. The arrow attached 
to each process points the neighbor designated as its parent. 




Figure 1: A legitimate configuration for spanning tree construction (numbers denote the level of processes). 
r is the (real) root and 6 is a Byzantine process which acts as a (fake) root. 

3.2 Protocol ss-ST 

In many self-stabilizing tree construction protocols (see the survey of [5]), each process checks locally the 
consistence of its level variable with respect to the one of its neighbors. When it detects an inconsistency, it 
changes its prnt variable in order to choose a "better" neighbor. The notion of "better" neighbor is based 
on the global desired property on the tree {e.g. shortest path tree, mininum spanning tree...). 

When the system may contain Byzantine processes, they may disturb their neighbors by providing alter- 
natively "better" and "worse" states. The key idea of protocol ss-ST to circumvent this kind of perturbation 
is the following: when a correct process detects a local inconsistency, it does not choose a "better" neighbor 
but it chooses another neighbor according to a round robin order (along the set of its neighbor). 

Figure [2] presents our strongly-stabilizing spanning tree construction protocol ss-ST that can tolerate any 
number of Byzantine processes other than the root process (providing that the subset of correct processes 
remains connected) . These assumptions are necessary since a Byzantine root or a set of Byzantine processes 
that disconnects the set of correct processes may disturb all the tree infinitely often. Then, it is impossible 
to provide a {t, k, /)-strongly stabilizing protocol for any finite integer t. 

The protocol is composed of three rules. Only the root can execute the first one (GAO). This rule sets the 
root in a legitimate state if it is not the case. Non-root processes may execute the two other rules (GAl and 
GA2). The rule GAl is executed when the state of a process is not legitimate. Its execution leads the process 
to choose a new parent and to compute its local state in function of this new parent. The last rule (GA2) is 
enabled when a process is in a legitimate state but there exists an inconsistence between its variables and 
its shared registers. The execution of this rule leads the process to compute the consistent values for all its 
shared registers. 



3.3 Proof of Strong Stabilization of ss-ST 

We cannot make any assumption on the initial values of register variables. But, we can observe that if an 
output register of a correct process has inconsistent values with the process variables then this process is 
enabled by a rule of ss-ST. By fairness assumption, any such process takes a step in a finite time. 

Once a correct process v executes one of its action, variables of its output registers have values consistent 
with the process variables: r-prntv,prnt^ — true, r-prnt^^^ — false {w 6 Ny — {prnt^}), and r-level^^w = 
levely {w € Ny) hold. 

Consequently, we can assume in the following that all the variables of output registers of every correct 
process have consistent values with the process variables. 



constants of process v 
/S.y — the degree of v\ 
Ny — the set of neighbors of v\ 
variables of process v 

prnty e {0, 1,2,..., A„}: integer; // prnty = if u has no parent, 

// prnty — k & {1,2,..., A„} if Ny[k] is the parent of v. 
levelyi integer; // distance from the root, 
variables in shared register r^,,„ 

r-prnty^u'- boolean; // r-prnty_u —true iff u is a parent of v. 
r-levelyy. integer; // the value of levels 
predicates 

predo : prnty 7^ or levely ^ or 3w G Ny, [(r-prnty^y,, r-levelyyj) ^ {false, 0)] 
predi : prnty ^ {1, 2, . . . , A^,} or levely ^ r-levelpmt^ ,y + 1 
pred2 : {r-prntyprnu,r-levely^prnu) 7^ {true, levely) 

or 3w G Ny — {prnty}, [{r-prnty^y,,r-levely^w) ^ {false, levely)] 
atomic action of the root v ^ r // represented in form of guarded action 
GAO: predo — > 

prnty :— 0; 
levely := 0; 

for each w € Ny do {r-prnty^yj,r-levely^y,) := {false, 0); 
atomic actions of v ^ r / / represented in form of guarded actions 
GPil-.predi — > 

prnty := nexty {prnty) where nexty{k) = (fc mod A^,) + 1; 
levely := r-levelprnt„,v + 1; 
{r-prnty^prnt^,r-levely^prntj := {true, levely); 

for each w G iV^, — {prnty} do {r-prnty^yj,r-levely,w) := {false, levely); 
GA2 : -ipredi and pred2 — > 

{r-prnty^prnt^,r-levely^prntj := {true, levely); 

for each w G iV^, — {prnty} do {r-prntyy,,r-levely,yy) := {false, levely); 



Figure 2: Protocol ss-ST (actions of process v) 



We denote by ZC the following set of configurations: 

LC = {p<^C {pmtr = 0) A {levelr = 0)A 

(yveV -{BU {r}), [prnt^ £ {1, ... , A„}) A {leveU = levelpmt^ + f))} 

We interest now on properties of configurations of CC. 
Lemma 1 Any configuration of CC is 0-legitimate and 0-stable. 

Proof Let p be a configuration of CC. By definition of spec, it is obvious that p is O-legitimate. 

Note that no correct process is enabled by ss-ST in p. Consequently, no actions of ss-ST can be executed 
and we can deduce that p is 0-stable. D 

We can observe that there exists some O-legitimate configurations which not belong to CC (for example 
the one of Figure [2]) . 

Lemma 2 Given at most n — 1 Byzantine processes, for any initial configuration po and any execution 
e = po, pi, . . . starting from po, there exists a configuration pi such that pi G CC. 

Proof First, note that if all the correct processes are disabled in a configuration p, then p belongs to CC. 
Thus, it is sufficient to show that ss-ST eventually reaches a configuration pi in any execution (starting from 
any configuration) such that all the correct processes are disabled in pi. 

By contradiction, assume that there exists a correct process that is enabled infinitely often. Notice that 
once the root process r is activated, r becomes and remains disabled forever. From the assumption that 
all the correct processes form a connected subsystem, there exists two neighboring correct processes u and 
V such that u becomes and remains disabled and v is enabled infinitely often. Consider execution after u 
becomes and remains disabled. Since the daemon is weakly fair, v executes its action infinitely often. Then, 
eventually v designates u as its parent. It follows that v never becomes enabled again unless u changes 
levelu. Since u never becomes enabled, this leads to the contradiction. D 

Lemma 3 Any configuration in CC is a {f A"^, A'^,0, f) -time contained configuration of the spanning tree 
construction, where f is the number of Byzantine processes and d is the diameter of the subsystem consisting 
of all the correct processes. 

Proof Let po be a configuration of CC and e = p^, pi, ... be an execution starting from pQ. First, we show 
that any 0-correct process takes at most A'^ actions in e, where d is the diameter of the subsystem consisting 
of all the correct processes. 

Let F be the set of Byzantine processes in e. Consider a subsystem S' consisting of all the correct 
processes: S' — {P — F,L') where L' — {I ^ L \ I ^ {P ~ F) x [P - F)}. We prove by induction on the 
distance 5 from the root in S' that a correct process v 5 hops away from r in S' executes its action at most 
A times in e. 

• Induction basis {5 = 1): 

Let V be any correct process neighboring to the root r. Since po is a legitimate configuration, prntr — 
and levelr = hold at po and remain unchanged in e. Thus, if prnty = r and levels = 1 hold in a 
configuration a, then v never changes prnty or levely in any execution starting from a. Since prnty = r 
and levely — 1 hold within the first A^ — 1 < A actions of v, v can execute its action at most A times. 

• Induction step (with induction assumption): 

Let V be any correct process S hops away from the root r in S", and w be a correct neighbor of v that 
is 5 — 1 hops away from r in 5" (this process exists by the assumption that the subgraph of correct 
processes of S is connected). From the induction assumption, u can execute its action at most A''"^ 
times. 



Assume that prnty — u and levels = levelu + 1 hold in a given configuration a. We can observ that 
V is not enabled until u does not modify its state. Then, the round-robin order used for pointers 
modification allows us to deduce that v executes at most A„ < A actions between two actions of u (or 
before the first action of u). By the induction assumption, u executes its action at most A times. 
Thus, V can execute its action at most A + A x (A"^"^) = A'' times. 

Consequently, any 0-correct process takes at most A"* actions in e. 

We say that a Byzantine process b deceive a correct neighbor v in the step p h^ p' ii the state of b makes 
the guard of an action of v true in p and if v executes this action in this step. 

As a 0-disruption can be caused only by an action of a Byzantine process from a legitimate configuration, 
we can bound the number of 0-disruptions by counting the total number of times that correct processes are 
deceived of neighboring Byzantine processes. 

If a 0-correct v is deceived by a Byzantine neighbor b, it takes necessarily A^, actions before being 
deceiving again by b (recall that we use a round-robin policy for prnt^). As any 0-correct process v takes at 
most A'' actions in e, v can be deceived by a given Byzantine neighbor at most A"*"^ times. A Byzantine 
process can have at most A neighboring correct processes and thus can deceive correct processes at most 
A X A"*"^ — A*^ times. We have at most / Byzantine processes, so the total number of times that correct 
processes are deceived by neighboring Byzantine processes is /A*^. 

Hence, the number of 0-disruption in e is bounded by /A^. It remains to show that any 0-disruption 
have a finite length to prove the result. 

By contradiction, assume that there exists an infinite 0-disruption d = pi, ... in e. This implies that for 
all j ^ *: Pj is not in CC, which contradicts Lemma [2] Then, the result is proved. D 

Theorem 1 (Strong-stabilization) Protocol ss-ST is a (/A'^, 0, f)-strong stabilizing protocol for the span- 
ning tree construction, where f is the number of Byzantine processes and d is the diameter of the subsystem 
consisting of all the correct processes. 

Proof From Lemmas [T] and O it is sufficient to show that ss-ST eventually reaches a configuration in CC. 
Lemma [2] allows us to conclude. D 

3.4 Time Complexities 

Proposition 2 The {f A'^jO, f) -process- disruption time of ss-ST is A where d is the diameter of the sub- 
system consisting of all the correct processes. 

Proof This result directly follows from Theorem [1] and Lemma [3l D 

Proposition 3 The {f A'^ ,0, f) -stabilization time of ss-ST is 0{{n — f)A'^) rounds where f is the number 
of Byzantine processes and d is the diameter of the subsystem consisting of all the correct processes. 

Proof By the construction of the algorithm, any correct process v which has a correct neighbor u takes at 
most A steps between two actions of u. 

Given two processes u and v, we denote by d'{u,v) the distance between u and v in the subgraph of 
correct processes of S. We are going to prove the following property by induction on i > 0: 

i 

{Pi): any correct process v such that d'{v, r) = i takes at most 2 ■ ^ A^ steps in any execution starting 

3 = 1 

from any configuration. 

• Induction basis {i = 1): 

Let w be a correct neighbor of the root r. By the algorithm, we know that the root r takes at most 
one step (because r is correct). By the previous remark, we know that v takes at most A steps before 
and after the action of r. Consequently, v takes at most 2A steps in any execution starting from any 
configuration. 

10 



• Induction step (i > 1 with induction assumption): 

Let w be a correct process such that d'{v, r) = i. Denote by u one neighbor of v such that d'{u, r) — i — 1 
(this process exists by the assumption that the subgraph of correct processes of S is connected). 

By the previous remark, we know that v takes at most A steps before the first action of u, between 
two actions of u and after the last action of u. By induction assumption, we know that u takes at most 

i-l 

2 • J2^'' steps. Consequently, v takes at most A actions where: 
i=i 

A = A + I 2 • ^A^ • A + A = 2 • ^A^ 
\ i=i / j=i 

Since there is {n — f) correct processes and any correct process satisfies d'{v, r) < d, we can deduce that the 
system reach a legitimate configuration in at most 0({n — /)A'^) steps of correct processes. 

As a round counts at least one step of a correct process, we obtain the result. D 

4 Strongly-Stabilizing Tree Orientation 

4.1 Problem Definition 

In this section, we consider only tree systems, i.e. distributed systems containing no cycles. We assume that 
all processes in a tree system are identical and thus no process is distinguished as a root. 

Informally, tree orientation consists in transforming a tree system (with no root) into a rooted tree 
system. Each process v has an 0-variable prnt^ to designate a neighbor as its parent. Since processes have 
no identifiers, prnty actually stores k (s {1, 2, . . . , Ay}) to designate its fc-th neighbor as its parent. But 
for simplicity, we use prnty = k and prnty = u (where u is the fc-th neighbor of v) interchangeably. 

The goal of tree orientation is to set prnty of every process v to form a rooted tree. However, it is 
impossible to choose a single process as the root because of impossibility of symmetry breaking. Thus, 
instead of a single root process, a single root link is determined as the root: link (m, v) is the root link when 
processes u and v designate each other as their parents (Fig. [Sja)). From any process w, the root link can 
be reached by following the neighbors designated by the variables prnt. 

When a tree system S has a Byzantine process (say w), w can prevent communication between subtrees 
of 5" — {w}lj. Thus, we have to allow each of the subtrees to form a rooted tree independently. We define 
the specification predicate spec{v) of the tree orientation as follows. 

spec{v) : Vii (e Ny)[{prnty — u) \/ (prnty = f) V {u is Byzantine faulty)]. 

Note that the tree topology, the specification and the uniquiness oi prnty (for any process v) imply that, 
for any 0-legitimate configuration, there is at most one root link in any connected component of correct 
processes. Hence, in a fault-free system, there exists exactly one root link in any 0-legitimate configuration. 

Figure [3] shows examples of 0- legitimate configurations (a) with no Byzantine process and (b) with a 
single Byzantine process w. The arrow attached to each process points the neighbor designated as its 
parent. Notice that, from Fig.[3ljb), subtrees consisting of correct processes are classified into two categories: 
one is the case of forming a rooted tree with a root link in the subtree (Ti in Fig. E^b)), and the other is 
the case of forming a rooted tree with a root process, where the root process is a neighbor of a Byzantine 
process and designates the Byzantine process as its parent (T2 in Fig. |31Jb)). 



^For a process subset P' (C P), S — P' denotes a distributed system obtained by removing processes in P' and their incident 
links. 
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(a) Case with no fault 



(b) Case with Byzantine process w 



Figure 3: Tree orientation 

4.2 Impossibility for Two Byzantine Processes 

Tree orientation seems to be a very simple task. Actually, for tree orientation in fault-free systems, we can 
design a self-stabilizing protocol that chooses a link incident to a center procescl as the root link: in case 
that the system has a single center, the center can choose a link incident to it, and in case that the system 
has two neighboring centers, the link between the centers become the root link. However, tree orientation 
becomes impossible if we have Byzantine processes. By the impossibility results of [131, we can show that 
tree orientation has no (o(n), l)-strictly stabilizing protocol; i.e. the Byzantine influence cannot be contained 
in the sense of "strict stabilization" , even if only a single Byzantine process is allowed. 

An interesting question is whether the Byzantine influence can be contained in a weaker sense of "strong 
stabilization" . The following theorem gives a negative answer to the question: if we have two Byzantine 
processes, bounding the number of disruptions is impossible. We prove the impossibility for more restricted 
schedules, called the central daemon, which disallows two or more processes to make actions at the same time. 
Notice that impossibility results under the central daemon are stronger than those under the distributed 
daemon in the sense that impossibility results under the central daemon also hold for the distributed daemon. 

Theorem 2 Even under the central daemon, there exists no deterministic {t,o{n), 2) -strongly stabilizing 
protocol for tree orientation where t is any (finite) integer and n is the number of processes. 

Proof Let S — {P,L) be a chain (which is a special caseof a tree system) of n processes: P — {vi, V2, . . . ,Vn} 
and L — {{vi, w^+i) | 1<j<?t. — 1}. 

For purpose of contradiction, assume that there exists a (t, o(n), 2)-strongly stabilizing protocol A for 
some integer t. In the following, we show, for S with Byzantine processes vi and v„, that A has an execution 
e containing an infinite number of o(n)-disruptions. This contradicts the assumption that A is a (t, o(n), 2)- 
strongly stabilizing protocol. 

In S with Byzantine processes vi and u„, A eventually reaches a configuration pi that is o(n)-legitimate 
for spec and o(n)-stable by definition of a (i,o(n), 2)-strongly stabilizing protocol. This execution to pi 
constitutes the prefix of e. 

To construct e after pi, consider another chain S" = {P',L') of 3n processes and an execution of A on 
S", where let P' — {mi, W2,...,M3n} and L' = {{ui, Wi+i) | 1 < i < 3n — 1}. We consider the initial 
configuration p[ of 5" that is obtained by concatenating three copies (say S[,S2 and 6*3) of 5 in pi where 
only the central copy iS'2 is reversed right-and-left (Fig. |4]) . More formally, the state of Wi and of 'W2n+i in 
p[ is the same as the one of Vi in pi for any i £ {1, . . . ,n}. Moreover, for any i G {1, . . . , n}, the state of 
Wn+i in p'^ is the same as the one of Vi in pi with the following modification: ii prnty. = Vi-i (respectively 



^A process ii is a center when v has the minimum eccentricity where eccentricity is the largest distance to a leaf. It is known 
that a tree has a single center or two neighboring centers. 
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(a) Construction of S' from three copies of S and convergence of S' 
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(b) Execution of S where w changes its parent. 



Figure 4: Construction of execution where w of S" changes its parent infinitely often. 



prnty. ~ I'i+i) in P\^ then prntw„+i — 
denotes a center process of S {i.e. w 



Wn+i+i (respectively prnt^ 



"n+i- 



-1) in p'l. For example, if w 



''^\n/2])i then w is copied to w'l — u^n/2\: 



Wo 



U2n+l-\n/2] 



and 



w^3 = U2n+ [n/2] 7 but Only pmt^' designates the neighbor in the different direction from prnt^' and prnt^' . 
From the configuration p[, protocol A eventually reaches a legitimate configuration p'( of S' when S' has 
no Byzantine process (since a strongly stabilizimg protocol is self-stabilizig in a fault- free system). In the 
execution from p'l to p'(, at least one prnt variable of w[, W2 and w'^ has to change (otherwise, it is impossible 
to guarantee the uniquiness of the root link in p"). Assume w'^ changes prnt^',. 

Now, we construct the execution e on 5 after pi . The main idea of this proof is to construct an execution 
on S indistinguishable (for correct processes) from one of S" because Byzantine processes of S behave as 
correct processes of S". Since vi and i;„ arc Byzantine processes in S, vi and w„ can simulate behavior of the 
end processes of S[ {i.e. U(i_i)„_|_i and Ui„). Thus, S can behave in the same way as S[ does from p'^ to p". 
Recall that process w'^ modifies its pointer in the execution of S[ does from p\ to p". Consequently, we can 
construct the execution that constitutes the second part of e, where prntw changes at least once. Letting the 
resulting configuration be p2 (that coincides with the configuration p" of S'^), p^ is clearly o(n)-legitimate 
for spec and o(n)-stable. Thus, the second part of e contains at least one o(n)-disruption. 

By repeating the argument, we can construct the execution e of A on S* that contains an infinite number 
of o(n)-disruptions. D 
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4.3 A Strongly Stabilizing Protocol for a Single Byzantine Process 

4.3.1 Protocol ss-TO 

In the previous subsection, we proved that there is no strongly stabilizing protocol for tree orientation if 
two Byzantine processes exist. In this subsection, we consider the case with at most a single Byzantine 
process, and present a (A,0, l)-strongly stabilizing tree orientation protocol ss-TO. Note that we consider 
the distributed daemon for this possibility result. 

In a fault-free tree system, tree orientation can be easily achieved by finding a center process. A simple 
strategy for finding the center process is that each process v informs each neighbor u of the maximum distance 
to a leaf from u through v. The distances are found and become fixed from smaller ones. When a tree system 
contains a single Byzantine process, however, this strategy cannot prevent perturbation caused by wrong 
distances the Byzantine process provides: by reporting longer and shorter distances than the correct one 
alternatively, the Byzantine process can repeatedly pull the chosen center closer and push it farther. 

The key idea of protocol ss-TO to circumvent the perturbation is to restrict the Byzantine influence to 
one-sided effect: the Byzantine process can pull the chosen root link closer but cannot push it farther. This 
can be achieved using a non-decreasing variable levels as follows: when a process v finds a neighbor u with 
a higher level, u chooses v as its parent and copies the level value from u. This allows the Byzantine process 
(say z) to make its neighbors choose z as their parents by increasing its own level. However, z can not make 
neighbor change their parents to other processes by decreasing its own level. Thus, the effect the Byzantine 
process can make is one-sided. 

Protocol ss-TO is presented in Fig. [5] For simplicity, we regard constant Ny as denoting the neighbors 
of V and regard variable prnty as storing a parent of v. Notice that they should be actually implemented 
using the ordinal numbers of neighbors that v locally assigns. 

The protocol is composed of three rules. The first one (GAl) is enabled when a process has a neighbor 
which provides a strictly greater level. When the rule is executed, the process chooses this neighbor as its 
parent and computes its new state in function of this neighbor. The rule GA2 is enabled when a process v 
has a neighbor u (different from its current parent) with the same level such that v is not the parent of u 
in the current oriented tree. Then, v chooses u as parent, increments its level by one and refresh its shared 
registers. The last rule (GAS) is enabled for a process when there exists an inconsistence between its variables 
and its shared registers. The execution of this rule leads the process to compute the consistent values for all 
its shared registers. 

4.3.2 Closure of Legitimate Configurations of ss-TO 

We refine legitimate configurations of protocol ss-TO into several sets of configurations and show their 
properties. We cannot make any assumption on the initial values of register variables. But once a correct 
process v executes its action, variables of its output registers have values consistent with the process variables: 
r-prnty^prnt^ = true, r-prnty^y, — false {w G Ny — {prnty}), and r-levely^w — levely {w £ Ny) hold. In the 
following, we assume that all the variables of output registers of every correct process have consistent values. 
First we consider the fault-free case. 

Definition 9 (CCq) In a fault-free tree, we define the set of configurations CCq as the set of configurations 
such that: (a) spec{v) holds for every process v and (b) levely = levely holds for any processes u and v. 

In any configuration of £Co, variables prnty of all processes form a rooted tree with a root link as Fig.[3][a), 
and all variables levely have the same value. 

Lemma A In a fault- free tree, once protocol ss-TO reaches a configuration p in LCq, it remains at p. 

Proof Consider any configuration p in CCq. Since all variables levely have the same value, the guard of GAl 
cannot be true in p. Since spec{v) holds at every process in p, there exist no neighboring processes u and v 
such that prntu y^ v and prnty ^ u holds. It follows that the guard of GA2 cannot be true in p. Once each 
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constants of process v 
Ay = the degree of v; 
Ny — the set of neighbors of v; 
variables of process v 

prntv'. a neighbor of u; // prnty = u if u is a parent of v. 
levelv- integer; 
variables in shared register r„ „ 

r-prnty^u'- boolean; // r-prnty^u =true iff m is a parent of v. 
r-levelyy. integer; // the value of levely 
predicates 

predi : 3u e Ny[r-levelu,y > levely] 

pred2 : 3u ^ Ny — {prnty}[{r-levelu,y = levely) A {r-prntu,y —false)] 

preds : {{r-prnty^prnt,.,r-levely^prntj 7^ {true,levely))V 

{3u e Ny — {prnty}, (r-prnty^u,r-levely^u) 7^ {false, levely)) 
atomic actions // represented in form of guarded actions 
Gkl:predi — > 

Let M be a neighbor of v s.t. r-levelu,v = raax^gAr^, r-levelw,v', 

prnty :— u; levely :— r-levelu,y] 

(r-prnty^u,'r-levely^u) '■= (true, levely); 

for each w € Ny — {u} do {r-prnty^w,r-levely^w) :— {false, levely); 
GA2 : -ipredi A pred2 — > 

Let M be a neighbor of v s.t. [r-level^^y = levely) A {r-prnt,^ y —false); 

prnty := u; levely := levely + 1; 

{r-prnty^u,r-levely,u) '■= {true, levely); 

for each w € Ny — {u} do {r-prnty,y,,r-levely,w) := {false, levely); 
GA3 : -ipredi A -^pred2 A preds — !• 

{r-prnty^prnt^,,r-levely,prntj ■= {true, levely); 

for each w G Ny — {prnty} do {r-prnty^yj , r-levely^w) '■= {false, levely); 

Figure 5: Protocol ss-TO (actions of process v) 

process executes an action, all the variables of its output registers are consistent with its local variables, and 
thus, the guard of GAS cannot be true. D 

For the case with a single Byzantine process, we define the following sets of configurations. 

Definition 10 {CCi) Let z be the single Byzantine process in a tree system. A configuration is in the set 
CCi if every subtree (or a connected component) of S-{z} satisfies either the following (CI) or (C2). 

(CI) (a) spec{u) holds for every correct process u, (b) prnty = z holds for the neighbor v of z, and (c) 
levely, > levelx holds for any neighboring correct processes w and x where w is nearer than x to z. 

(C2) (d) spec{u) holds for every correct process u, and (e) levely — levely, holds for any correct processes v 
and w. 

Definition 11 {CC2) Let z be the single Byzantine process in a tree system. A configuration is in the set 
CC2 if every subtree (or a connected component) of S-{z} satisfies the condition (CI) of Definition \l(A 

In any configuration of CC2, every subtree forms the rooted tree with the root process neighboring the 
Byzantine process z. For configurations of CC2, the following lemma holds. 

Lemma 5 Once protocol ss-TO reaches a configuration p of CC2, it remains in configurations of CC2 and, 
thus, no correct process u changes prnt^ afterward. That is, any configuration of CC2 is (0, l)-contained. 
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Proof Consider any execution e starting from a configuration p of CC2- In p, every subtree of S* — {z} 
forms the rooted tree with the root process neighboring the Byzantine process z. Note that, as long as no 
correct process u changes prntu in e, action GA2 cannot be executed at any correct process. On the other 
hand, if a process u executes action GAl in e, levelpmu, > levelu necessarily holds immediately this action. 
Consequently, if we assume that no correct process u changes prntu in e (by execution of GAl) then every 
configuration of e is in £€2- To prove the lemma, it remains to show that e contains no activation of GAl by 
a correct process. In the following, we show that any correct process u never changes prntu in e. 

For contradiction, assume that a correct process u changes prntu first among all correct processes. Notice 
that every correct process v can execute GAl or GAS but cannot change prnty before u changes prntu- Also 
notice that u changes prntu to its neighbor (say w) by execution of GAl and w is a correct process. From 
the guard of GAl, levels > levelu holds immediately before u changes prntu- On the other hand, since w is 
a correct process, w never changes prntuj before u- This implies that prntu, = u holds immediately before u 
changes prntu, and thus levelu > levels holds. This is a contradiction. D 

Notice that a correct process u may change levelu by execution of GAl even after a configuration of 
CC2- For example, when the Byzantine process z increments level z infinitely often, every process u may also 
increment levelu infinitely often. 

Lemma 6 Any configuration p in CCi is (A^, 1,0, l)-time contained where z is the Byzantine process- 

Proof Let p be a configuration of CCi- Consider any execution e starting from p. By the same discussion 
as the proof of Lemma [H we can show that any subtree satisfying (CI) at p always keeps satisfying the 
condition and no correct process u in the subtree changes prntu afterward. 

Consider a subtree satisfying (C2) at p and let y be the neighbor of the Byzantine process z in the subtree. 
From the fact that variables prntu form a rooted tree with a root link and all variables levelu have the same 
value in the subtree at p, no process u in the subtree changes prntu or levelu unless y executes prnty := z 
in e. When prnty := z is executed, levely becomes larger than levelu of any other process u in the subtree. 
Since the value of variable levelu of each correct process u is non-decreasing, every correct neighbor (say v) 
of y eventually executes prnty := y and levels :— levely (by GAl). By repeating the argument, we can show 
that the subtree eventually reaches a configuration satisfying (CI) in 0{d') rounds where d' is the diameter 
of the subtree. It is clear that any configuration before reaching the first configuration satisfying (CI) is not 
in CCi, and that each process u changes prntu at most once during the execution. 

Therefore, any execution e starting from p contains at most A^ 0-disruptions where each correct process 
u changes prntu at most once. D 

4.3.3 Convergence of ss-TO 

We first show convergence of protocol ss-TO to configurations of CCq in a fault-free case. 

Lemma 7 In a fault-free tree system, protocol ss-TO eventually reaches a configuration of CCq from any 
initial configuration. 

Proof Wc prove the convergence to a configuration of CCq by induction on the number of processes n. It is 
clear that protocol ss-TO reaches a configuration of CCq from any initial configuration in case of n = 2. 

Now assume that protocol ss-TO reaches a configuration of CCq from any initial configuration in case 
that the number of processes is n — 1 (inductive hypothesis), and consider the case that the number of 
processes is n. 

Let u be any leaf process and v be its only neighbor and p be an arbitrary configuration. In a first time, 
we show that any execution e starting from p reaches in a finite time a configuration such that levely > levelu 
holds. If this condition holds in p, we have the result. Otherwise {levely < levely), u is continuously enabled 
by GAl (until the condition is true). Hence, the condition becomes true (by an activation of v) or this action 
is executed by m in a finite time. In both cases, we obtain that levely > levely holds in at most one round. 

After that, process u can execute only guarded action GAl or GAS since prntu — v always holds. Thus, 
after the first round completes, prnty — v and levely > levely always hold (indeed, v can only increase its 
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level variable and level variable of u can only take greater values than w's). It follows that v never executes 
prnty := u in the second round and later. This implies that e reaches in a finite time a configuration p' such 
that (a) prnty ^ u always holds after p' , or (b) prnty — u always holds after p' (since v cannot execute 
prnty := u after p' ii prnty ^ u). 

In case (a), the behavior of v after p' is never influenced by u: v behaves exactly the same even when 
u does not exist. From the inductive hypothesis, protocol ss-TO eventually reaches a configuration p" such 
that S — {u} satisfies the condition of CCq and remains in p" afterward (from Lemma [4]). After u executes 
its action at p", levelu = levely holds and thus the configuration of S is in CCg. 

Now consider case (b), where we do not use the inductive hypothesis. The fact that prnty — u (and 
prntu — v) always holds after p' implies that levely (and also levelu) remains unchanged after p'. Assume 
now that a neighbor w (^ u) of v satisfies continuously levely, ^ levely or prnty, ^ v from a configuration 
p" of e after p'. If w satisfies continuously levely, > levely from p", then v executes GAl in a finite time, 
this is a contradiction. If w satisfies continuously levely, < levely from p", then w executes GAl in a finite 
time and takes a level value such that levely, > levely, that contradicts the fact that w satisfies continuously 
levely, < levely from p". This implies that levely, = levely and prnty, = t; in a finite time in any execution 
starting from p'. As w does not modify its state after p', w is never enabled after p'. This implies that 
the fragment of S consisting of processes within distance two from u reaches a configuration satisfying the 
condition of CCq and remains unchanged. We can now apply the same reasoning by induction on the distance 
of any process to u and show that ss-TO eventually reaches a configuration in CCq where link (m, v) is the 
root link. 

Consequently, protocol ss-TO reaches a configuration of CCq from any initial configuration. D 

Now, we consider the case with a single Byzantine process. 

Lemma 8 In a tree system with a single Byzantine process, protocol ss-TO eventually reaches a configuration 
of CCi from any initial configuration. 

Proof Let z be the Byzantine process, 5" be any subtree (or a connected component) of 5 — {z} and y be 
the process in S" neighboring z (in S). 

We prove, by induction on the number of processes n' of S", that S' eventually reaches a configuration 
satisfying the condition (CI) or (C2) of Definition [TOl 

It is clear that 5" reaches a configuration satisfying (CI) from any initial configuration in case of n' = 1. 

Now assume that S' reaches a configuration satisfying (CI) or (C2) from any initial configuration in case 
of n' = fc — 1 (inductive hypothesis), and consider the case oi n' — k (> 2). 

From n' > 2, there exists a leaf process u in S" that is not neighboring the Byzantine process z. Let v 
be the neighbor of u. Since processes u and v are correct processes, we can show the following by the same 
argument as the fault- free case (Lemma [7]): after some configuration p, (a) prnty ^ u always holds, or (b) 
prnty = u always holds. In case (a), we can show from the inductive hypothesis that S' eventually reaches 
a configuration satisfying (CI) or (C2). In case (b), we can show that S' eventually reaches a configuration 
satisfying (C2) where link (u, v) is the root link. 

Consequently, protocol ss-TO reaches a configuration of CCi from any initial configuration. D 

The following main theorem is obtained from Lemmas lU [5l [U [7] and |8l 

Theorem 3 Protocol ss-TO is a {A, 0,1) -strongly stabilizing tree- orientation protocol. 

4.3.4 Round Complexity of ss-TO 

In this subsection, we focus on the round complexity of ss-TO. First, we show the following lemma. 

Lemma 9 Let v and u he any neighbors of S. Let S' be the subtree of S — {v} containing u and h{v,u) he 
the largest distance from v to a leaf process of S' . If S' U {w} contains no Byzantine process, prnty :— u of 
GAl or GA2 can be executed only in the first 2h(v,u) rounds. Moreover, in round 2h{v,u)+l or later, levely 
remains unchanged as long as prnty = u holds. 
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Proof We prove the lemma by induction on h(v,u). 

First consider the case of h{v,u) = 1, where m is a leaf process. When the first round completes, all the 
output registers of every process becomes consistent with the process variables. Since u is a leaf process, 
prntu = V always holds. It follows that process v can execute prnty := u only in GAl. Once v executes its 
action in the second round, levels > levelu holds and prnty := u of GAl cannot be executed afterward (see 
proof of Lemma[7|). Thus, prnty := u of GAl can be executed only in the first and second rounds. It is clear 
that in round 3 or later, levels remains unchanged as long as prnty = u holds. 

We assume that the lemma holds when h{v,u) < k — 1 (inductive hypothesis) and consider the case of 
h{v,u) — k. We assume that prnty :— u of GAl or GA2 is executed in round r, and show that r < 2k holds 
in the following. Variable levely is also incremented in the action, and let ^ be the resultant value of levely. 
In the following, we consider two cases. 

• Case that prnty := u of GAl is executed in round r: when prnty := u is executed, levely — t holds. 
But levely < i holds when v executes its action in round r — 1; otherwise, v reaches a state with 
levely > ^ in round r — 1 and cannot execute prnty := u (with levely := £) in round r. This implies 
that u incremented levely to i in round r — 1 or r. 

In the case that u makes the increment of levely by GAl, u executes prnty := w for w {^ v) in the 
same action. Since h{u, w) < h{v, u) holds, the action is executed in the first 2h{u, w) rounds from the 
inductive hypothesis. Consequently, prnty := u of GAl is executed in round 2h{u,w) + 1 (< 2h{v,u)) 
at latest. 

In the case that u makes the increment of levely by GA2, u executes prnty := w for some w (e Ny) in 
the same action, where w = v may hold. For the case oi w ^ v, we can show, by the similar argument 
to the above, that prnty := u is executed in round 2h{u,w) + 1 (< 2h{v,u)) at latest. Now consider 
the case oi w = v. Then levely = levely = £ — 1, prnty ^ u and prnty ^ v hold immediately before u 
executes prnty :— v and levely :— L Between the actions of levely := £ — 1 (with prnty :— w {w ^ v)) 
and levely := £ (with prnty :— v), v can execute its action at most once; otherwise, levely > £ ^ 1 
holds after the first action, and levely > £ or prnty = u holds after the second action. This implies 
that levely := £ — 1 with prnty := w (w ^ v) is executed in the previous or the same round as the 
action of levely := £, and thus, in round r — 2 or later. Since h{u,w) < h{v,u) holds, the action is 
executed in the first 2h{u,w) rounds from the inductive hypothesis. Consequently, prnty := u of GAl 
is executed in round 2h{u, w) + 2 (< 2h{v, u)) at latest. 

• Case that prnty := u is executed in GA2: then levely = levely — £ — 1, prnty ^ u and prnty ^ v hold 
immediately before v executes prnty :— u and levely :— £. Between the executions of levely := £ — I 
and levely := £, u can execute its action at most once, and u executes prnty := w for some w (^ v) in 
the action. Since h{u,w) < h{v,u) holds, this action is executed in the first 2h{u,w) rounds from the 
inductive hypothesis. Consequently, prnty :— u is executed in round 2h{u,w) + 1 (< 2h(v,u)). 

It remains to show that levely remains unchanged in round 2h(v,u)+l or later, as long as prnty = u 
holds. Now assume that prnty — u holds at the end of round 2h{v, u). 

• Case that prnty = v holds at the end of round 2h(v, u): since h{u, w) < h{v, u) for any w € Ny — {v}, 
prnty := u) cannot be executed in round 2h{v, u) + 1 or later from the inductive hypothesis, and so 
prnty = V holds afterward. Thus, it is clear that levely remains unchanged as long as prnty = u (and 
prnty = v) holds. 

• Case that prnty ^ v holds at the end of round 2h{v,u): let prnty = vu hold for some w e Ny — {v} 
at the end of round 2/i(u, u). Since h{u, w) < h{v, u), levely remains unchanged as long as prnty — w 
holds from the inductive hypothesis. It follows that levely remains unchanged as long as prnty = u 
and prnty — w hold. Since h{u, x) < h{v, u) for any x € Ny — {v}, prnty := x cannot be executed in 
round 2h{v, u) + 1 or later, but prnty := v can be executed. Immediately after execution oi prnty :— v, 
levely — levely holds if prnty remains unchanged. Thus, it is clear that levely remains unchanged as 
long as prnty = u (and prnty = v) holds. 
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D 
The following lemma holds for the fault-free case. 

Lemma 10 In a fault-free tree system, protocol ss-TO reaches a configuration of CCq from any initial 
configuration in 0(d) rounds where d is the diameter of the tree system S . 

Proof Lemma [5] implies that, after round 2d + 1 or later, no process v changes prnty or levely and thus 
the configuration remains unchanged. Lemma [7] guarantees that the final configuration is a configuration in 
CCq. □ 

For the single-Byzantine case, the following lemma holds. 

Lemma 11 In a tree system with a single Byzantine process, protocol ss-TO reaches a configuration of CCi 
from any initial configuration in 0{n) rounds. 

Proof Let z be the Byzantine process and 5" be any subtree of 5 — {z}. Let v be the neighbor of z in 5". 
From Lemma[9l v cannot execute prnty := w for any w G Ny — {z} in round 2d' -I- 1 or later, where d' is the 
diameter of S' . We consider the following two cases depending on prnty. 

• Case 1: there exists w G Ny — {z} such that prnty = w at the end of round 2d' and prnty remains 
unchanged during the following d' rounds (from round 2d' + 1 to round id'). 

From Lemma [SJ levely also remains unchanged during the d' rounds. By the similar discussion to that 
in proof of Lemma IHl we can show that S' reaches a configuration satisfying the condition (C2) of 
Definition [TOl by the end of round Sd'. 

• Case 2; prnty = z at the end of round 2d' or there exists at least one configuration during the following 
d' rounds (from round 2d' + 1 to round id') such that prnty = z holds. 

Let c be the configuration where prnty = z holds. From Lemma IHl prnty = z always holds after c. We 
can show, by induction of k that, a fraction of 5" consisting of processes with distance up to k from v 
satisfies the condition (CI) at the end of k rounds after c. Thus, 5" reaches a configuration satisfying 
the condition (CI) of Definition [TU] by the end of round Ad' . 

After a subtree reaches a configuration satisfying the condition (C2), its configuration may change into 
one satisfying the condition (CI) and the configuration may not satisfy (CI) or (C2) during the transition. 
However, Lemma |6] guarantees that the length of the period during the subtree does not satisfy (CI) or (C2) 
is 0{d') rounds, where d' is the diameter of the subtree. Since the total of diameters of all the subtrees in 
S — {z} is 0(n), the convergence to a configuration of CCi satisfying (CI) or (C2) can be delayed at most 
0{n) rounds. D 

Finally, we can show the following theorem. 

Theorem 4 Protocol ss-TO is a (A,0, l)-strongly stabilizing tree- orientation protocol. The protocol reaches 
a configuration of CCq U CCi from any initial configuration. The protocol may move from a legitimate 
configuration to an illegitimate one because of the influence of the Byzantine process, but it can stay in 
illegitimate configurations during the total of 0(n) rounds (that are not necessarily consecutive) in the whole 
execution. 

Proof Theorem [3] shows that ss-TO is a (A, 0, l)-strongly stabilizing tree-orientation protocol. Lemma [TOl 
and ll II guarantee that ss-TO reaches a configuration of CCqUCCi from any initial configuration within 0{n) 
rounds. For the case with a single Byzantine process (say z), each subtree of S* — {z} may experience an 
illegitimate period (not satisfying the condition (CI) or (C2)) after such a configuration. However, Lemma 
ini guarantees that the length of the illegitimate period is 0{d') where d' is the diameter of the subtree. Since 
the total of diameters of all the subtrees in 5' — {z} is 0{n), the total length of the periods that does not 
satisfy (CI) or (C2) is 0{n) rounds. D 
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5 Concluding Remarks 

We introduced the notion of strong stabilization, a property that permits self-stabihzing protocols to contain 
Byzantine behaviors for tasks where strict stabilization is impossible. In strong stabilization, only the first 
Byzantine actions that are performed by a Byzantine process may disturb the system. If the Byzantine 
node does not execute Byzantine actions, but only correct actions, its existence remains unnoticed by the 
correct processes. So, by behaving properly, the Byzantine node may have the system disturbed arbitrarily 
far in the execution. By contrast, if the Byzantine node executes many Byzantine actions at the beginning 
of the execution, there exists a time after which those Byzantine actions have no impact on the system. 
As a result, the faster an attacker spends its Byzantine actions, the faster the system become resilient to 
subsequent Byzantine actions. An interesting trade-off appears: the more actually Byzantine actions are 
performed, the faster the stabilization of our protocols is (since the number of steps performed by correct 
processes in response to Byzantine disruption is independent from the number of Byzantine actions). Our 
work raises several important open questions: 

1. is there a trade-off between the number of perturbations Byzantine nodes can cause and the containment 
radius ? In this paper, we strove to obtain optimal containment radius in strong stabilization, but it 
is likely that some problems do not allow strong stabilization with containment radius 0. It is then 
important to characterize the difference in containment radius when the task to be solved is "harder" 
than tree orientation or tree construction. 

2. is there a trade-off between the total number of perturbations Byzantine nodes can cause and the 
number of Byzantine nodes, that is, is a single Byzantine node more effective to harm the system than 
a team of Byzantine nodes, considering the same total number of Byzantine actions ? A first step in 
this direction was recently taken by |16j . where Byzantine actions are assumed to be upper bounded, 
for the (global) problem of leader election. Their result hints that only Byzantine actions are relevant, 
independently of the number of processes that perform them. It is thus interesting to see if the result 
still holds in the case of potentially infinite number of Byzantine actions. 
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